'Open MS Passport': MyUID Goes Beta 208
mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."
Problems (Score:5, Insightful)
MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.
All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.
--------------
The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.
Wrong idea? (Score:5, Insightful)
Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?
-Matt
Re:Wrong idea? (Score:5, Insightful)
Different from MS Passport? (Score:4, Insightful)
I think that some people are missing the point (Score:4, Insightful)
Now whether this project is ultimately useful is debatable.
Security? (Score:5, Insightful)
Re:Are we sure this is for real? (Score:3, Insightful)
Excuse me, but FAQ stands for "Frequently Asked Questions". Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?
Totally backwards (Score:5, Insightful)
The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.
If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.
And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.
No totally (Score:5, Insightful)
It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.
ouch.
-Matt
The problem... (Score:4, Insightful)
With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.
But, LDAP is standard (Score:5, Insightful)
Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.
Re:Wrong idea? (Score:5, Insightful)
but realize that there is value for some folks in having a "universal" id system. why do you think that your SSN in the US is used so widely?
again, there are many problems, but there exist benefits too.
Re:FAQ (karma whoring) (Score:3, Insightful)
it seems like myuid hasn't seen enough light to get many questions in the first place.
Good SPAM (Score:4, Insightful)
Where's the security?
Markus Diersbock
Similar but different (Score:3, Insightful)
Now note that the providers of this or any comparable software simply cannot have that kind of backing, no fraud protection exists, and no working method of recovering your identity exists in the event your account is stolen.
-Matt
Re:Problems (Score:2, Insightful)
Re:Are we sure this is for real? (Score:5, Insightful)
Nobody's asking "what is it?"
Re:Similar but different (Score:3, Insightful)
Well, sort of. I originally thought this as well, but then I quickly realized that most of my life I've filled in my SSN for every bank account, school form or medical questionnaire (to name a few). Your SSN is floating around all over the place, albeit in supposedly protected databases, but definitely not just being protected by the U.S. government.
Regarding MyUID, I'd rather not. If we're really supposed to be fighting the war on terror this would be a good place to start, by not centralizing so much information. Our power grid is a perfect example of a very vulnerable system. It doesn't seem like a good idea to emulate that in an information system if you're concerned about security.
Then again, it's not like state secrets would be held in this thing.
Re:Flying solo? (Score:5, Insightful)
From the FAQ... (Score:4, Insightful)
A: No.
It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).
MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?
The "My" prefix (Score:5, Insightful)
Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.
I can't even begin to understand what "MySQL" is supposed to mean.
It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.
I don't get it (Score:3, Insightful)
Centralized authentication server for internet = Good
???????????
Unimpressive (Score:4, Insightful)
http://www.myuid.com/activate.php?email=fdgdfs%3C
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
Why NOT to use this... (Score:4, Insightful)
Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.
Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:
1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or
2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.
They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.
Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.
registration requires cookies (Score:3, Insightful)
What is this? (Score:5, Insightful)
Interestingly, it does say in the ToS:
MyUID will not give or sell your private account information or your password to anyone,
which seems a lie. But it goes on!
MyUID will supply any information we have about you to law enforcement officials if neccessary.
They'll rat on you even if not required by law. Yay!
In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.
The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.
Registered user #1 [myuid.com] is mastergoon, so this is just blatent self-advertising on slashdot.
DSA keys database? (Score:2, Insightful)
Re:Are we sure this is for real? (Score:3, Insightful)
On the plus side, at least they'll have first mover advantage no matter how buggy. Hey, it worked for Windows...
Re:Wrong idea? (Score:2, Insightful)
This also has some security considerations. Why do you think it is illegal in France to use the SSN as an identifier?
waste of time (Score:1, Insightful)
businesses will not have one of their most important assets (Customer info) scattered around the web, god knows where!
maybe they should try to develop something really usefull like another GUI for linux.
Re:I haven't read the API but... (Score:3, Insightful)
But to be honest, the real danger of any such system is that it makes the 'trusted central service' necessary for many of these large-scale authentication systems a massively large target.
Imagine: a ubiquitous authentication framework, used everywhere. Wonderful idea -- no more remembering all these damn passwords, everything is Just Secure.
Except that every black hat out there will be trying to crack that central server -- and much hilarity will ensue if they are successful in DDoSing it, or worse, obtain access to the keys within.
Which is one of the reasons why PGP, a decentralised public-key cryptosystem, is still quite popular - no central point of failure.